As a leading Virtual data room service provider, we know how to protect your confidential information. Some use a virtual data room only for specific high profile transactions like an M&A/IPO or Fund Raising etc., while others use a Virtual Data Room extensively for managing all their internal documents. What companies have realised is that although their documents are completely secured with Virtual Data Room, they have little to no control over the documents which are still stored in emails, networks, drives and desktops. In the past few years a number of our clients have asked us to share our best practices regarding document handling to implement inside their companies. Upon request, here are some ways in which a document retention a disposal policy will ensure the integrity of the data in your possession
Identify the Risks
Business people are often surprised to learn how open to risk their confidential data is. When a company is in the process of preparing a contract or budget, whether for day-to-day operations or for a deal such as a merger or acquisition, various employees usually work on the documents. It’s easy to forget that the information you’re working so hard to protect is stored in multiple insecure places, including:
- Within the body of email messages sent to staff involved in creating the documentation
- In attachments to email messages, on the computers of both the sender and the recipient
- On servers belonging to the email hosting provider, particularly when web-based email is used
- On the hard drives of the people working on the documents
- On the company servers, if the files are made accessible to other parties, as well as in server backup media which may be stored offsite
- On portable media such as flash drives, CDs or other external media, usually for transportation purposes
The information contained in these interim documents might not be the final version, but it can cause damage if it is leaked even in an incomplete format.
Implement a Retention Policy
When you’ve identified all the locations where your information could be compromised, you’ll need a comprehensive document retention policy to address this issue. Reputable data room service providers use processes to ensure that they comply with requirements for data security. While electronic documents are easier to distribute unlawfully than paper ones, as explained in our post on how human behaviour can compromise data, these principles apply to the storage of hard copy documents as well:
- Implement a policy that outlines the length of time during which a specific category of documentation may remain stored on the company’s computers.
- Include version control mechanisms so users can remove former versions and retain only the current copy of each document. Make provision in the policy for draft documents to be discarded as soon as an official version exists.
- Identify which electronic documents should be stored, the location and length of time for which they should be retained.
- Involve your IT department in determining the parameters of the policy and the methods by which you intend to enforce it.
- Educate your employees about the risks surrounding electronic documentation and explain the legal consequences of not complying with your policy.
You may face unnecessary challenges if evidence exists of documents being retained for longer than required. Conversely, destroying documents you should retain can be equally problematic.
Set Guidelines for Disposal
While the document retention policy minimizes the risk of information leaks, it also needs to list the protocols for discarding documents received or created during the course of regular business. A consistent and secure system for the disposal of records should be instituted in accordance with an approved Records Retention Schedule
Most guidelines stipulate requirements for a “final destruction” report, which lists the identification number of each record, the date of disposal and the name of the person who authorized it. Email and instant messaging records are typically migrated to a digital archive, which is programmed to automatically purge the records at the end of the period specified in the retention schedule. A virtual data room reduces your risk of exposure by using many of these security protocols, and given that the most secure option for any data is to ensure that one and only copy exists, it makes sense to store it in such a virtual location.